cobo-agentic-wallet-prod

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask for tokens/invitation codes and to include them verbatim in CLI commands (e.g., --token ) and to "show the command", which requires the LLM to output secret values directly, posing an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third‑party content (e.g., the SKILL.md version from https://agenticwallet.cobo.com/ and numerous runtime API calls to public services such as https://quote-api.jup.ag, https://api.coingecko.com, and https://clob.polymarket.com) and uses those responses to drive trading/transaction decisions (price triggers, swap instructions, policy suggestions), so untrusted external content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's bootstrap script downloads and installs executable binaries at runtime from URLs such as https://download.agenticwallet.cobo.com/binary-release/.../caw-{ver}-{os}-{arch}.tar.gz and https://download.tss.cobo.com/binary-release/latest/cobo-tss-node-{os}-{arch}.tar.gz, which fetch remote code that will be executed and are required for onboarding, so they present a runtime code-execution dependency risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly and primarily designed to perform cryptocurrency financial operations. It documents wallet onboarding, direct token transfers (caw tx transfer with --to, --token, --amount), contract calls (caw tx call), DeFi executions (Aave borrow/repay, Uniswap V3 swaps, DCA, grid trading, prediction market positions), and policy-enforced transaction submission (including gas handling and request-id idempotency). These are concrete "send transaction"/fund-movement capabilities (not generic tools), so it grants direct financial execution authority for crypto.